Saturday, April 30, 2016

domain name system - Setting up SRV records for a Minecraft server



I have a Minecraft server listening on port 25566, and I'm trying to set up an SRV record on my domain so you can access that game server by just typing the IP address: play.example.com.




After many tries It seems I can't get it to work. Here's what I've done:




  1. Set up an A record pointing to my server:



    Name: play.example.com    Destination IP Address: 123.4.5.6

  2. Set up an SRV record like this:



    Name: _gserver._tcp.play.example.com Priority: 0 Weight: 0 Port: 25566 Value: play.example.com




When I try to access play.example.com It doesn't redirect me to the port.
For some reason the A record works, but the SRV one doesn't.



Any idea why this isn't working?


Answer



The protocol that minecraft uses is minecraft, not gserver.




The SRV record should be




  • Name: _minecraft._tcp.play.gameserver.com

  • Priority: 0

  • Weight: 0

  • Port: 25566

  • Value: play.gameserver.com


windows - Dual-homed server DNS registration issue

In our environment, most Windows Servers are dual-homed.



The first NIC, called 'Public' is the one:





  • used by the servers to communicate with Active Directory

  • with a default gateway set

  • via which the applications should be exposed

  • via which the RDP connections should be established



The second NIC, called 'Management' is mainly used to take backups and for monitoring purposes.




Both NICs are in separate (and symmetric) private VLANs. For example:
- Domain controllers: 10.2.0.0/24
- Public: 10.2.1.2/24 with default gateway set to: 10.2.1.1 (pfSense firewall interface)
- Management: 10.2.2.2/24, no default gateway set (10.2.2.1 being the pfSense firewall interface)



Currently, we do the following:
- the first NIC registers itself in DNS (FQDN, for example someserver.ourdomain.local)
- the second NIC does not register itself in DNS and we manually create forward & reverse records in a separate zone, for example: someserver.mgt.ourdomain.local



What we would like to achieve is to enable DNS registration for the second NIC so that we don't have to manually create the records in DNS.




We have added 'mgt.ourdomain.local' in the list of allowed DNS suffixes (msDS-AllowedDNSSuffixes) as described here



This allows us to define the 'DNS Suffix for this connection' value in the IPv4 settings of the second NIC (management). That, combined with 'Use this connection's DNS suffix in DNS registration' almost does what we want.



It successfully registers 'someserver.mgt.ourdomain.local', but the problem is that it also registers 'someserver.ourdomain.local'.



And thus, we have two DNS entries for someserver.ourdomain.local and we would like to avoid that.



Is there a registry setting that could stop the machine's DNS suffix to be registered and to only register in DNS using the suffix specified at the adapter level?

mount / and / or apache - php permissions : where should I look?




Here's the configuration :



The directory :



/var/www/mount_ImpExp/ImpExp/



is a shared directory (Linux) from a PC with an IP adress 192.168.1.12



My PC IP adress is 192.168.1.11




I mounted that shared dir with the command :
mount -t cifs -o auto,username=myusername,password=mypass //192.168.0.12/LINUX_U /var/www/mount_ImpExp



If I try to manually launch a rsync with :



rsync -t /var/www/mount_ImpExp/ImpExp/compteur_assur /usr/bin/



This works :



ls -al /usr/bin/compteur_assur

-rwxr-xr-x 1 zobz zobz 2501 2009-06-09 15:44 /usr/bin/compteur_assur


Now I create a exec.php file in my website : the path is :
/var/www/html/Internet/mywebsite



the source is :




echo date('d/m/Y H:i:s');
echo "
";

var_dump(
system("rsync -t /var/www/mount_ImpExp/ImpExp/compteur_assur /usr/bin/"));


it doesn't work.



In the php.ini the "safemode" is "off". So I may be able to execute any shell command.
If I try to modify the exec.php file and do a simple :

var_dump( system("ls -al ."));
file


It works. So the "system" call works.



Thus I tried to modify the options in the httpd.conf file :





# Ajout Olivier Pons / 11 juin 2009

AddDefaultCharset UTF-8
Options All

AllowOverride All
Order allow,deny
Allow from all




I then restarted the server and nothing works.
What shall I do where should I look next ? I'm stuck...


Answer




Okay I found the problem : it a "permission problem" (or "rights problem" I don't know how to say it in English, sorry)




[Batman]:/var/www/html/Internet/mywebsite# chown apache:apache /var/www/mount_ImpExp/
chown: changing ownership of `/var/www/mount_ImpExp/': Permission denied
[Batman]:/var/www/html/Internet/mywebsite# chmod o+r /var/www/mount_ImpExp/
chmod: changing permissions of `/var/www/mount_ImpExp/': Permission denied
[Batman]:/var/www/html/Internet/mywebsite#

Friday, April 29, 2016

domain name system - Suggestions required for Internal DNS



I'm setting up new server environment consist of 70+ servers all running Linux (Redhat/CentOS mixed.) I want to setup a couple of DNS server (primary/secondary) to be used/configured on all servers which should able to take care for following things mainly.



1. Authoritative DNS for resolving local server entries.




I want to assign simple domain names to servers (mostly A records) like db1.example.int
or app1.example.int Basic idea is servers should able to reach each other via there
(internal) dns names.



2. Recursive / Cached DNS resolution for public domains (like google.com).



For resolving any DNS entries other than local domain (example.int) quries should be sent
to upstream DNS servers configured as forwarders.



Currently I'm exploring BIND & dnsmasq for this purpose . Should I go with BIND or should try dnsmasq (with dhcp-disabled - since all my servers will be using static IPs.) please share your thoughts and experiences if worked on similar setup.



Answer



In general this is called "split DNS". You create a system where the DNS records seen outside the company are different than the DNS records seen inside the company. In particular, outsiders see www.example.com and other externally-visible hosts. Inside the company all machines have DNS records... these records are not seen outside.




  1. Pick an internal domain.



Typically machines inside the company are on a subdomain of the company's domain. For example if your company is example.com, all machines inside are MACHINENAME.corp.example.com. The problem with this is that you can never use "corp.example.com" as an external DNS name.



Warning: I once saw a company use "inside" instead of "corp". When marketing wanted to make an external website called "inside.example.com" (an "insider's guide" to using their product) it became a political nightmare.




Warning: I highly recommend an additional level of hierarchy. MACHINENAME.LOCATION.corp.example.com. "location" can be "hq" for the headquarters, "nyc" for the NYC sales office, etc. Most organizations use 3-letter codes, often the nearest airport code.



When i was at one company we had every machine be "MACHINENAME.corp.example.com" in the headquarters because we didn't think we'd ever have local offices. When we opened large offices elsewhere, they were "MACHINENAME.SITE.corp.example.com". Every tool we wrote had to "special case" the fact that HQ was different. Eventually we had to change HQ to be just like all the other sites. It was a painful transition. Yet, I see companies make this mistake over and over again. Therefore, even if you have no plans for growth beyond one building, I still recommend MACHINENAME.LOCATION.corp.example.com.




  1. Configure "split DNS" or DNS "views" on your DNS servers.



BIND and other DNS systems can be configured to provide different answers based on the source of the DNS request, or the interface that the DNS request came on.




For example, if you have a DNS server with 1 NIC inside the company and 1 NIC outside the company:



Inside NIC:




  • LOCATION.corp.example.com (for each location)

  • corp.example.com

  • example.com.

  • All other domains use the DNS "forwarders"




Outside NIC:




  • example.com (SAME zonefile as the inside nic uses)

  • Any "recursive" or forwarding disabled.



You can also have 2 different machines, each with a different configuration.




SOFTWARE:



Note: I don't think dnsmasq can do split DNS. BIND can, as can most other "enterprise" products. Look for "views" or "Split DNS" in the manual.


smtp - How to recover domain name from previous bad SPF record?

TL;DR: We had SPF too permissive (+all) and spammers used this to send tons of spam "from" our domain. We restricted that to ~all and added DMARC (not DKIM though), now other providers do not trust our real emails. How to make them trust our domain/SPF record without making it too permissive again?



I've worked for this company for awhile now. However the DNS management is done by other people.



I've noticed that our SPF record was pretty bad (literally +all at the end) and the people who manage DNS argued that this is needed since many servers send automatic weekly/daily reports. However on close inspection they do not use our mailing domain name. So I suggested to fix SPF record to have at least ~all at the end and add DMARC record to receive reports of messages that are considered spam. We could not add DKIM as there are multiple systems that require sending emails (all proxied via GMail servers with their smtp-proxy servers).



Once we have done so we started receiving large numbers of reports about spam messages with our domain name as sender. All of them do look like spam and definitely not sent from our servers.




Obviously this is what we wanted to achieve, but now I see that our legit messages are sent to spam as well, even though all sending servers are added in SPF (we use Gmail for business).



Q: How can we recover from this and make other providers trust emails sent by hosts in our (now valid) SPF?



UPD: Below are examples of SPF and DMARC records we have:



v=spf1 ip4:xx.xx.xx.xx ip4:yy.yy.yy.yy ip4:zz.zz.zz.zz include:_spf.google.com ~all

v=DMARC1; p=none; rua=mailto:dmarc.report@company.com; ruf=mailto:dmarc.report@company.com; sp=none; fo=1; adkim=r; aspf=s

Thursday, April 28, 2016

zfsonlinux - Create a backup of a ZFS volume



I am unable to create a replica of an existing ZFS volume and snapshots. For my other volumes, I am synchronizing the backups nightly via zfs send / zfs receive and that works okay.



That said, I thought the process to create a replica of an existing volume was basically:



zfs send -vR zfs_volume_name@snapshot_name | ssh -x backup_server sudo zfs receive zfs_backup_volume_name



However, when I do that, I get:



cannot receive new filesystem stream: invalid backup stream


When I start the command to sync, it looks like it is going to work. It starts saying the expected size for each snapshot it is going to send, but then it quickly dies with the above error.



If it is of any significance, I am doing this as one of my backup volumes was not synced in a very long time and, I am missing some incremental snapshots, so there is no common ground. I renamed the existing volume with the date I discovered the problem and intend to create a new volume from the new master. Once I get the new backup volume up and running, I will drop the old one.




I believe the only difference between my incremental and this is I am sending -I to send incremental, so I would expect this to work for a full backup.



If I simply send the backup stream to a file, it works okay. I have the same version of ZFS on both the source and target, albeit a newer kernel. I am suspecting that the pools are different versions, the version number doesn't display on either when I do zpool get version .


Answer



I believe the problem was caused by using an older OS (despite the ZFS version installed being the same). I am using the same OS version (dd if=current_root of=usb_device) on both boxes now and am able to sync as expected.


networking - Open source network tap

I've recently begun researching network monitoring solutions. I've configured SPAN on our cisco catalyst, and it's working ok, but I've been reading up on taps too. Most of the articles I've seen reference cost as the major drawback. Unless theres something I'm missing about this technology it seems ike it could be implemented with a commodity PC and three NICs (in, out, and the monitor port.) Does something like this exist, or am I way off?

Wednesday, April 27, 2016

linux - How to boot GRUB2 so it mounts "root" on a different drive (remote server without kvm switch)

Summary:
I created a copy of the root file system on a raid array (with one disk on it), and im trying to get the system to boot off that newly copied drive.



Background:





  • 2 disks of same size in server (sda, sdb)

  • sdb not being used

  • i am trying to transition the whole thing to a raid1 mirror

  • current active partitions:


    • sda1 - boot

    • sda2 - swap

    • sda3 - root (mounted to "/")





I am not sure if it possible to make a full raid1 system which can boot off either drive, since I do not have kvm access (i can only tell them to help me out of a jam via troubleticket)



Done so far:




  • Created partitions on sdb to match sda

  • Created new raid1 array (with 1 disk)


  • /dev/md3 consists of 1 disk: /dev/sdb3

  • mount /dev/md3 /mnt/md3

  • cp -ax / /mnt/md3

  • So now I have matching copies of data on / and /dev/md3



Can I just edit GRUB2 to make /dev/md3 the root, and everything should be ok right?



I need to be absolutely sure, since I have no kvm access. I looked at /boot/grub/grub.cfg and I see this entry:




menuentry 'Ubuntu, with Linux 2.6.32-28-generic-pae' --class ubuntu --class gnu-linux --class gnu --class os {
recordfail
insmod ext2
set root='(hd0,1)'
search --no-floppy --fs-uuid --set 18de6bbd-e46d-4f89-a2c9-fa2e7fa718b7
linux /vmlinuz-2.6.32-28-generic-pae root=/dev/sda3 ro
initrd /initrd.img-2.6.32-28-generic-pae
}



So, note the "root=/dev/sda3" part. Can I just replace that with "root=/dev/md3", then reboot??

domain name system - Active Directory Authenication and Sites

We have an AD Domain with two sites and 6 domain controllers. Four of the DCs are in our primary site and 2 are in our secondary site and they are a mixture of 2003 and 2008 machines. As far as I can tell our sites are setup properly with the correct subnets associations an all that.



Our problem is that we constantly have users in our main site that wind up authenticating against the DCs in the remote site which slows things down quite a bit. I thought proper site configuration was supposed to prevent this. Am I missing something? Do we have something configured wrong?

vps - CoreOS hostname on reboot



Recently, I created a CoreOS droplet on DigitalOcean. Everything works well, except for the fact that I'm not able to change the hostname of my VPS. When I change the hostname to what it should be using sudo hostnamectl set-hostname myhostname.org (the documented way of doing so), it indeed changes the hostname system-wide (e.g. /etc/hostname reflects the new hostname). However, when I reboot the VPS, the hostname gets reverted to what it used to be.




It might not be a coincidence, but the hostname always reverts to the original name of the droplet. I've already changed that name about one week ago to the correct hostname. I have read stories about DHCP influencing the hostname on reboot, but I'm not able to find a solution to avoid that on CoreOS.



How to change the hostname of CoreOS in such a way that it will remain the same after a reboot?



Thanks in advance!


Answer



On DigitalOcean (and some other cloud providers; Openstack for example) they're providing metadata on each boot of the machine (either provided via cloud-config or via the options you provided in the DigitalOcean web interface). When you bestowed a name on the droplet/VM you signified to the metadata service that you wanted the hostname to be called that value. cloud-config is honoring the request put forth by the DigitalOcean metadata service. This is actually a design pattern and operating outside of it would me much like trying to avoid uing convention over configuration in Rails. You can do it, but you're only making things harder on yourself.



Inside the DigitalOcean web interface you can rename the droplet Select Droplet->"Settings"->"Rename"




As to why the option in previous answer does not exist, CoreOS does not ship Python cloud-init had to be re-written in a compiled language (hence it being written in Go. To view the metadata on DigitalOcean log into the host and run the command:



$ curl http://169.254.169.254/metadata/v1/user-data

iptables - Routing Port 443 traffic from RedHat 7 host to multiple guest KVMs

I have a RedHat 7 server and a couple of Ubuntu KVMs.
The guest vms are connected using NAT because we do not have any public IP addresses to spare at this moment.



Is it possible to use iptables to route traffic from host port 443 to route to all the vms?




I already have iptable rules to route ssh from outside ip address directly to the vms.
I am assuming because I'm routing a dedicated port number for each VM, that it is not possible to route a single host port to all of my vms.



The default incoming and forwarding is set to deny.

iptables - Prevent non-intercept Squid traffic being tagged by Policy Routing

I've re-edited the original question, because I have changed the setup since the original answer, which was for NAT based setup. NAT is no longer being used and has been replaced with TPROXY for IPv6 compatibility.



I'm running squid in a small network. I've setup a couple of squid listening ports for different scenarios.



Excerpt of squid.conf




  • http_port 3128 - This is will be pushed to Windows clients via domain policy, with the HTTP Proxy set via WPAD.

  • http_port 3129 tproxy - This is for clients that are having traffic on port 80 intercepted.




For the TPROXY setup I'm using the following iptables/ip6tables rules on my DD-WRT router with iproute2 to mark and redirect traffic to the proxy. The problem is in this setup all traffic is tagged, including IPv4 and IPv6 traffic that is going to the Squid proxy via the 3128 port setup.



I need a way to exclude this traffic because it is is adding overhead and breaking connectivity (particularly IPv6) on LAN clients that have the proxy applied directly.



I'm aware I could add specific clients to the PREROUTING table with an ACCEPT rule, but doing this for both IPv4 and IPv6 will become hard to manage quickly. I need to find a generic way to exclude all LAN clients that go through the Squid Proxy on port 3128 at router level but I don't know the best way to do it.



Current DD-WRT Squid policy routing:




# Squid transparent proxy
PROXY_IPV4=192.168.x.x
PROXY_IPV6=2001:470:xxxx:xx::x
CLIENTIFACE=br0
FWMARK=3

iptables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV4 -p tcp --dport 80 -j ACCEPT
ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 -p tcp --dport 80 -j ACCEPT

iptables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK

iptables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK
ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT

iptables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT

ip rule add fwmark $FWMARK table 2
ip -6 rule add fwmark $FWMARK table 2
ip route add default via $PROXY_IPV4 table 2

ip -6 route add default via $PROXY_IPV6 table 2

# End Squid intercept proxy config

ssh - How to allow write on SFTP only setup?

I'm trying to setup FreeBSD 10 with an account that can SFTP, but not SSH.




I've got my sftponly group and my specific account is a member of that group. My sshd_config contains:



Match Group sftponly
ChrootDirectory /home/account
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp



The /home/account is mode 755 with root:sftponly ownership. In this configuration I can login, list the directory, and "get" files but cannot upload files (write permission denied). If I change the account directory to 775 to give the sftponly group write permissions, then the login is blocked. What's the appropriate setup for allowing read AND write SFTP operations with SSH blocked?

Tuesday, April 26, 2016

process - Determining how all memory is used in Windows Server 2008

I have a Windows Server 2008 system, which has 12GB of RAM.



If I list all processes in the Task Manager, and SUM() the memory of each process (Working Set, Memory (Private Working Set), Commit Size, ...), I never reach more than 4-5GB that should be "in use". However, task manager reports this server has 11GB in use via the "Performance" tab.



I'm failing in determining where all that used RAM is going. It doesn't seem to be system cache, but I can not be sure.



It might be a memory leak in one of the appliances, but I'm struggling to find out which one. The server's memory keeps filing up, and eventually forces us to reboot the device to clear it.




I've been reading up on how RAM assignments work on Windows Server:





But I fear I'm stuck without ideas at the moment.

windows server 2008 - Adding multiple websites with different SSL certificates in IIS 7



I'm having troubles using SSL for 2 different websites on my IIS 7 server.
Please see my setup below:



website1: my.corporate.portal.com



SSL certificate for website1: *.corporate.portal.com




https/443 binded to my.corporate.portal.com



website2: client.portal.com
SSL certificate issued for: client.portal.com
When I try to bind https in IIS7 with the client's certificate, I don't have an option to put host name(grayed out) and as soon as I select 'client.portal.com' cert, I'm getting the following error in IIS:



At least one other site is using the same HTTPS binding
and the binding is configured with a different certificate.
Are you sure that you want to reuse this HTTPS binding
and reassign the other site or sites to use the new certificate?



If I click 'yes' my.corporate.portal.com website stops using the proper SSL cert.



Could you suggest something?


Answer



Implementing Elastic Load Balancing for the Amazon instance solve the issue (http://aws.amazon.com/elasticloadbalancing/)


email - Postfix alias only forwarding to local users



I have set up Dovecot and Postfix using this tutorial, which works for receiving and sending mail. The aliases also work fine, although only for local users. I.e. I can make a forward from noaddress@mydomain.com to realaddress@mydomain.com, where only realaddress is defined as a virtual user (using MySQL). What I want to do is forward to an external address, such as Gmail or another mailserver. All my config-files are exactly as stated in the link above.
I've tried adding





virtual_alias_domains =




to postfix/main.cf, but that didn't solve anything.



Also manually adding the domains there, i.e.




virtual_alias_domains = forwarddomain.com





didn't work. The error I get is




to=, orig_to=,
relay=mydomain.com[private/dovecot-lmtp], delay=0.07,
delays=0.05/0.01/0/0.01, dsn=5.1.1, status=bounced (host
mydomain.com[private/dovecot-lmtp] said: 550 5.1.1
User doesn't exist:
contact@forwarddomain.com (in reply to RCPT TO command))
.





Output of postconf -n:




alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix

content_filter = scan:127.0.0.1:10026
inet_interfaces = all
mailbox_size_limit = 0
mydestination = localhost
myhostname = mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +

relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem

smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_use_tls = yes
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

Answer



Finally found the answer, turned out postfix was trying to connect to gmail using ipv6. To fix this, configure ipv6 on the server, or like I did, disable ipv6 in /etc/postfix/main.cf by adding the following line:





inet_protocols = ipv4




and restarting postfix:




service postfix restart




Monday, April 25, 2016

permissions - Cannot Access Shared Folder From IIS

From IIS I need to access a folder on another computer. Both servers are Window 2008 SP2, and they live in a Virtual Private Cloud on Amazon EC2. They reach one another by private IP -- they are in WORKGROUP, not a domain.



I can access the shared folder manually when logged in to the client as Administrator. But IIS gets "access denied." Here's what I have done:




  1. Set File Sharing = ON

  2. Set Password Protected Sharing = OFF

  3. Set Public Folder Sharing = ON

  4. Shared the folder


  5. Added permission to the share: Everyone, Full Control

  6. Added permission to the share: NETWORK SERVICE, Full Control

  7. Verified that File & Printer Sharing is checked in Windows Firewall

  8. Opened port 445 to inbound traffic from local sources



I tried adding \NETWORK SERVICE to the share but it says it does not recognize the machine, which makes sense, I guess.



As I said, from the other computer I have no trouble accessing the shared folder from my user account, but IIS is shut out. How does the file server even know the difference? I would assume that with Everyone given full control and password protected sharing turned off, it would not matter what the client user account is.




In any case, how to solve?



UPDATE: To clarify, I am not trying to serve up files on the share directly through IIS. Rather I am writing files to the share from my code (System.IO).

Poor OpenVPN NFS performance

I have EC2 application servers behind an elastic load balancer. All of the application servers have access to a shared storage server, notably for centralized cache files, logging, etc. The shared storage server implements NFS over OpenVPN to do its job. All of the servers are in the same availability zone and talk to each other over the internal network. However, the shared storage solution is leading to abnormally high CPU and latency that does not typically exist if storage is 100% local. Slight performance decreases with this setup are expected, but in this case CPU has gone up & output has slowed down by 2-3x



So, this is a 2 part question:




  1. What can I do to better understand what the culprit is? I know it's the combination of OpenVPN & NFS, but can I identify the specific files being read & written to the most? Or can I easily tell where the bottleneck is?


  2. Does anybody have advice based purely on the information above? Is there a better way to share files cross-server in a cloud-based environment? (Please don't respond with "use S3", as that is not a good fit for instant/temporary file requirements)





Thanks!

nat - Cisco IOS, Multiple WAN & Port Forwards (Outside -> Inside PAT)

I have been trying to work out how to accomplish PATing from Outside to Inside on a Cisco IOS router, in this case specifically a Cisco 2901 running IOS Version 15.1(4)M1.




Firstly, the problem I am trying to solve is that we'd like external port forwards to work regardless of which connection is the default gateway.
On this particular router we have two WAN connections. One is on the built in Gig0/0 interface and the other by an EHWIC card exposing Gig0/0/0.



An example port forward rule in this device:
ip nat inside source static tcp 192.168.1.10 3389 x.x.x.x 3389 extendable



Where x.x.x.x is the IP address of interface Gig0/0/0.



This works fine if Gig0/0/0 is the default gateway for the router, however if Gig0/0 is the default gateway the port forward breaks.



It's also worth noting that the Gig0/1 interface is the default gateway for all LAN computers and servers, and is designated ip nat inside where Gig0/0 and Gig0/0/0 are both ip nat outside.




I am performing my standard Inside to Outside PAT by using route-map items which matches my NAT ACL with the interface.



I know I can mess around with ip nat outside and NAT pools, but is there a cleaner way I can achieve what I want? Even if I'm going about it the complete wrong way and NAT/PAT isn't the solution to my problem, pointing me in the right direction would be a major help!



The only reason why I think this is my best bet is the fact that every firewall device I've used has functionality in its policies to perform source NAT translation to the IP address of the egress interface, and it is so simple to turn on!



Edit: Watered down config







interface GigabitEthernet0/0
description ----WAN_INTERFACE_PRI----
mtu 1596
ip address x.x.x.x 255.255.255.248
ip access-group SECURE-IN in
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000

no cdp enable
service-policy output EthernetAccessService
!
interface GigabitEthernet0/1
description ----INTERNAL----
ip address 192.168.1.1 255.255.255.0
ip access-group OUT-FILTER in
no ip redirects
no ip proxy-arp
ip flow ingress

ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description ----WAN_INTERFACE_BACK----
ip address y.y.y.y 255.255.254.0
no ip redirects
no ip proxy-arp

ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server

!
ip nat inside source static tcp 192.168.1.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source route-map BACK_WAN interface GigabitEthernet0/0/0 overload no-payload
ip nat inside source route-map PRI_WAN interface GigabitEthernet0/0 overload no-payload
!
ip route 0.0.0.0 0.0.0.0 (x.x.x.x Gateway) permanent
ip route 0.0.0.0 0.0.0.0 (y.y.y.y Gateway) 10 permanent
!
ip access-list extended NAT-ACL
permit ip 192.168.1.0 0.0.0.255 any

deny ip any any
ip access-list extended OUT-FILTER
permit icmp any any
permit ip object-group Unrestricted-Access-Group any
deny ip 192.168.1.0 0.0.0.255 any
deny ip any any
ip access-list extended SECURE-IN
permit ip host any
deny tcp any any eq telnet log
deny tcp any any eq 22 log

permit ip any any
!
no cdp run
!
!
!
route-map PRI_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0
!

route-map BACK_WAN permit 10
match ip address NAT-ACL
match interface GigabitEthernet0/0/0

Sunday, April 24, 2016

hard drive - 80 pin SCSI Raid Controller to SATA SSD's on IBM e336



I have an Old IBM e336 1U Sever. Currently the only Hard drive in the system is a Ultra160 SCSI drive. This drive is old and making some noises indicating that its life is going to end soon. Though my data is backed up I need something to run the OS off of. With the hard Drive installed I have booted off of a USB key no problem. When I remove the Hardrive I can no longer boot from USB or DVD. On the board there are 2 Sata ports. Labeled Left and Right, But neither of these seem to detect any devices attached to them and in the BIOS it seems to only have 2 hard drive locations which I can only assume are the 2 SCSI Drive bays.




I seem to have run out of Options as 80pin SCSI to Sata seems to be impossible.
And once the SCSI drive is dead I do not know if I will be able to boot from USB.

1. Can Anyone recommend a way to use a modern drive with a SCSI controller?




  1. I have looked at PCI SSD's But have been told you cannot use these as boot devices either?


  2. Anyone with experience with the IBM e336 know how to Enable the SATA ports?






The xSeries 306 server also has a 1U form factor, but supports uniprocessor operations and only fixed Ultra320 SCSI or SATA HDDs



Answer



I would dump the server. It's 10+ years old. So your options for newer disks are extremely limited. SATA was introduced on server chipsets around the time this server was released. I wouldn't put much hope in using those ports.



Your best option is to add another period-correct SCSI drive. They're readily available on eBay.


Random 502 errors only with phpMyAdmin throgh nginx/php-fpm, with php segfault

I'm using nginx and php-fpm on many servers.
Some have php 5.4 with APC and others 5.5 or 5.6 with opcache.
PhpMyAdmin on servers on 5.4 work without any problems.
PhpMyAdmin on servers on 5.5 or 5.6 throw 502 errors randomly.
All websites hosted on these servers are working well and doesn't throw 502 error.



By randomly I mean that I can reload the same ajax request multiple times and it will fail or success absolutely randomly.



I tested by disabling opcache for phpMyAdmin but it doesn't chaneg anything.




Here are some nginx error logs:



2015/08/09 23:45:12 [error] 8386#8386: *8 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: XX.XX.XX.XX, server: phpmyadmin.host.com, request: "GET /js/get_scripts.js.php?scripts%5B%5D=jquery/jquery.uitablefilter.js&scripts%5B%5D=gis_data_editor.js&scripts%5B%5D=multi_column_sort.js&scripts%5B%5D=makegrid.js&scripts%5B%5D=sql.js&call_done=1 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "phpmyadmin.host.com", referrer: "https://phpmyadmin.host.com/"
2015/08/09 23:46:04 [error] 8386#8386: *6 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: XX.XX.XX.XX, server: phpmyadmin.host.com, request: "GET /phpinfo.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "phpmyadmin.host.com"


As you can see, even the phpinfo from phpMyAdmin is sometimes gettong on 502



In the PHP FPM log, I got segfaults for each 502 error. Here as one:




[09-Aug-2015 23:46:04] WARNING: [pool www] child 6965 exited on signal 11 (SIGSEGV) after 372.815678 seconds from start
[09-Aug-2015 23:46:04] NOTICE: [pool www] child 9104 started


Finally, the configuration used:
nginx site



server {
listen 443 ssl;

listen [::]:443 ssl;
ssl_certificate /etc/ssl/certs/phpmyadmin.pem;
ssl_certificate_key /etc/ssl/private/phpmyadmin.key;

server_name phpmyadmin.host.com;
root /home/var/www/phpmyadmin/;

location ~ \.php$ {
expires off;
include fastcgi_params;

fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;

fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 300;

fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_param PHP_VALUE "max_execution_time=360 \n memory_limit=500M \n post_max_size=40M \n upload_max_filesize=20M \n opcache.enable=0";
}

location ~ /\. {
deny all;
}
access_log /var/log/nginx/phpmyadmin/access.log;
error_log /var/log/nginx/phpmyadmin/error.log;

}


php-fpm



[www]
pm.max_children = 50
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 10

listen.owner = www-data
listen.group = www-data
listen.mode = 0660


phpMyadmin config.inc.php



/* Servers configuration */
$i = 0;


$cfg['blowfish_secret'] = 'a_32_char_long_secret_here';

/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = '';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';

$cfg['Servers'][$i]['auth_type'] = 'http';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '';

/* End of servers configuration */

$cfg['DefaultLang'] = 'en';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';

$cfg['ShowPhpInfo'] = true;


regarding the others php extensions:
I'm using debian packages with dotdeb to install them.
Extensions included:




  • opcache (but disabled for phpMyadmin host)

  • pdo


  • apcu

  • curl

  • gd

  • imap

  • intl

  • mcrypt

  • mysqli

  • mysql

  • pdo_mysql

  • pdo_pgsql


  • pdo_sqlite

  • pgsql

  • readline

  • sqlite3



Do you have any idea what could cause this problem?



Let me know if you need more informations.




It might not be directly related to phpMyAdmin, but I have this kind of errors ONLY with phpMyAdmin.
Servers are used with various PHP projects: Symfony2, magento, custom frameworks, etc...



As far as I can see and after a quick and dirty debugg (echo/exit) I found out that the 502 are coming from the chdir instruction on PMA_response::response function.



Comment it out and the phpinfo page from phpMyAdmin works without any problem.
(obviously regular PMA pages doesn't work properly...)
I already checked:

Saturday, April 23, 2016

firewall - Unable to connect to APNS with java-apns



I've got a Java program running on a firewalled server that is intended to send push notifications to my iPhone app by using java-apns. Problem is, whenever I try to send a notification the library fails to connect to the APNS server. From the stack trace, it seems that when creating the required SSL connection, the connection is being refused at some point (a java.net.ConnectException with a detail message of "connection refused" is being thrown when the library calls SSLSocketFactory's createSocket method).



It would not surprise me at all if the firewall is blocking the connection, but unfortunately as I do not manage the server I am unable to verify that that is indeed the case. The fact that the program works fine from my (non-firewalled) desktop seems to support the theory.



My question is, does anyone know of any method by which I can find the root cause of the problem, and/or can anyone tell me what I should tell the server admin to change to get things to work (if it is indeed the firewall that's the problem)? My understanding of such things is a bit limited, but it should be as simple as unblocking outgoing connections on port 2195 (the port used by the APNS servers), right?



For reference, the server is a Linux box and I'm using version 0.1.2 of java-apns.


Answer




Well, you should start by simply asking him/her to unblock port 2195 outgoing.



Here's an example:



iptables -A OUTPUT -o eth0 -p tcp --dport 2195 -j ACCEPT



The above assumes that eth0 is the external, internet-facing interface.



You may also have to add a line for incoming (assuming the source is also port 2195 on the other end):




iptables -A INPUT -i eth0 -p tcp --sport 2195 -j ACCEPT



If the source port for the return communication is randomized, you will have to use the state module in iptables to track the connection:



iptables -A OUTPUT -o eth0 -p tcp --dport 2195 \ 
-m state --state NEW, ESTABLISHED, RELATED \
-j ACCEPT

iptables -A INPUT -i eth0 -p tcp \
-m state --state ESTABLISHED, RELATED \

-j ACCEPT


That's very basic. The administrator is responsible for this kind of thing, not you, so modification of the above is likely necessary. HTH.


Are "Glue" records in DNS used only by nameservers of the same domain?



I am bit confused with where "Glue record" is used in DNS.




This documents say




If you are using someone else's name servers (eg. your ISP's), you
won't need to worry about glue records. You only need to worry about
glue records when you are configuring your own name servers where a
circular reference exists.




And so Glue record will be present only for nameservers which are within the domain for which they are authoritative for. i.e they are required if example.com has nameserver as ns1.example.com and it will not be required if it is on another domain.




Based on this document I use dig command to see if glue records are present for domains which have nameserver hosted in another domain. And surprisingly they too have glue records !. I am trying to see if novanext.com has glue record as their nameservers are in different domain.



Updated



$ dig ns com.
;; ANSWER SECTION:
com. 85916 IN NS j.gtld-servers.net.
com. 85916 IN NS f.gtld-servers.net.
com. 85916 IN NS i.gtld-servers.net.

com. 85916 IN NS g.gtld-servers.net.
....


And next getting the "glue" record of novanext.com domain.



$ dig ns novanext.com @g.gtld-servers.net.

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> ns novanext.com @g.gtld-servers.net.
;; global options: +cmd

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55040
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;novanext.com. IN NS

;; AUTHORITY SECTION:
novanext.com. 172800 IN NS ns2.net4india.com.

novanext.com. 172800 IN NS ns1.net4india.com.

;; ADDITIONAL SECTION:
ns2.net4india.com. 172800 IN A 202.71.131.12
ns2.net4india.com. 172800 IN A 202.71.131.13
ns2.net4india.com. 172800 IN A 202.71.131.241
ns1.net4india.com. 172800 IN A 202.71.128.222
ns1.net4india.com. 172800 IN A 202.71.128.37
ns1.net4india.com. 172800 IN A 202.71.129.33


;; Query time: 279 msec


How is this possible ? I have googled a lot but still not able to figure it out. Any help will be appreciated.


Answer




And so Glue record will be present only for nameservers which are within the domain for which they are authoritative for. i.e they are required if example.com has nameserver as ns1.example.com and it will not be required if it is on another domain.




Sadly, this is an incorrect conclusion to draw. There's nothing to stop you from serving glue records that aren't strictly necessary. Let's say that I operate the nameservers for example.com, and I want to delegate sub.example.com to ns1.contoso.com.




Defining the delegation is simple enough:



sub.example.com. IN NS ns1.contoso.com.



That should be enough by itself, but I could also define a glue record for it:



ns1.contoso.com. IN A 203.0.113.1



This would cause my nameserver to include 203.0.113.1 in the referrals for ns1.contoso.com as glue. My nameservers aren't responsible for contoso.com, and no sane nameserver on the internet is going to store that glue record in cache.




What they will do is assume that I want 203.0.113.1 to be queried if ns1.contoso.com is not currently in cache. This is fine...until the admins for contoso.com change the IP address of ns1.contoso.com. My glue would be wrong, and in many cases this referral would break.


postfix - Mail marked as spam (Gmail/Hotmail): IP not on blacklist, DKIM Valid, SPF Valid and DMARC valid

I'm trying to send mail from my own domain (which is 15 days old now) but I'm having some troubles. Check the following mail body:



Delivered-To: ------@gmail.com
Received: by 10.25.89.200 with SMTP id n191csp1613325lfb;
Mon, 15 Jun 2015 14:20:52 -0700 (PDT)
X-Received: by 10.194.157.194 with SMTP id wo2mr55865555wjb.103.1434403252309;
Mon, 15 Jun 2015 14:20:52 -0700 (PDT)
Return-Path: <----@mydomain>
Received: from mymaildomain (mail.mymaildomain [])
by mx.google.com with ESMTP id fj6si20368790wib.55.2015.06.15.14.20.52

for <------@gmail.com>;
Mon, 15 Jun 2015 14:20:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of me@mydomain designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of me@mydomai designates 149.210.155.34 as permitted sender) smtp.mail=me@mydomain;
dkim=pass header.i=@mydomain;
dmarc=pass (p=QUARANTINE dis=NONE) header.from=mydomain
Message-ID: <557F41B3.2080107@mydomain>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain; s=mail;
t=1434403152; bh=Wguxgu2qx/vIvpYIpENoa5tTcUlTNO8hTPP2ckEi6NY=;

h=Date:From:To:Subject:From;
b=UFG7EP9F9iFkBdra7TIfQ8q5iexmyT0Jt1Ay/aW+8Z4ti6/G/HPcVk1SIdmuR6RoH
4LkkkKAnHhbae5pZz+oMMIXI3yeAI/n3EQnzdT5TmNBo3K7YluDmfA1yQ8pRL6VE51
VGWdZh+hmimLfR+p1Lnu5BVrQmksURduB0yxlhM4=
Date: Mon, 15 Jun 2015 23:20:51 +0200
From: me@mydomain
To: ----@gmail.com
Subject: Test 20000
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit


Just a small test


As you can see the DKIM, SPF and DMARC are all passing in Gmail, but Gmail (and Hotmail) keep flagging my mails as spam. I Already followed the guides in https://support.google.com/mail/answer/1366858?hl=en-GB&expand=5 and https://mail.live.com/mail/junkemail.aspx but they offer no conclusive information. I also looked at various other Stackoverflow questions, but those all contained dead links for (human) support from Hotmail/Gmail.



The domain is a .EU domain and the IP comes from TransIP (Dutch VPS hoster). I even subscribed to the Junk Email Reporting program (JMRP) and the Smart Network Data Services program (SNDS) of Microsoft and added my contact info to abuse.net. But still no luck after checking it every day..



How can I resolve this issue? How can I contact Google/Hotmail about this problem, and why is my e-mail flagged as spam, it's fully authenticated and does not contain any "shady" content?




I contacted Hotmail about the spam issue and they did responded with the actions I already had taken. Gmail accepts my mail als legit if I send it over IPv6 (which I configured by default now). And no, my IP is not in a blacklist.

Postfix: find out why mail bounces

My otherwise pretty well working postfix mail server is refusing to deliver a single mail with attachment. Unfortunately i don't have the error message available which was sent to the sender. But here is the relevant part of the log file:




(added line numbers and anonymized some fields)




01 Nov 26 06:57:38 xs.private postfix/smtpd[24013]: connect from aaa.bbb[12.34.56.78]
02 Nov 26 06:57:39 xs.private postfix/smtpd[24013]: 48CFB8BC0CDA: client=aaa.bbb[12.34.56.78]
03 Nov 26 06:57:39 xs.private postfix/cleanup[24029]: 48CFB8BC0CDA: message-id=<1777B66B84D03E42A2A4E0F30A97A2B4385CC85A@X0361.xs>
04 Nov 26 06:57:44 xs.private postfix/smtpd[24013]: disconnect from aaa.bbb[12.34.56.78]
05 Nov 26 06:57:44 xs.private postfix/qmgr[247]: 48CFB8BC0CDA: from=, size=4785215, nrcpt=1 (queue active)
06 Nov 26 06:57:50 xs.private postfix/smtpd[24047]: connect from localhost[127.0.0.1]
07 Nov 26 06:57:50 xs.private postfix/smtpd[24047]: 6FCC08BC0D66: client=localhost[127.0.0.1]

08 Nov 26 06:57:50 xs.private postfix/cleanup[24029]: 6FCC08BC0D66: message-id=
09 Nov 26 06:57:52 xs.private postfix/qmgr[247]: 6FCC08BC0D66: from=<>, size=6803, nrcpt=1 (queue active)
10 Nov 26 06:57:52 xs.private postfix/smtpd[24047]: disconnect from localhost[127.0.0.1]
11 Nov 26 06:57:52 xs.private postfix/smtp[24034]: 48CFB8BC0CDA: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=13, delays=5.5/0.01/0/7.9, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=98796-09, BOUNCE)
12 Nov 26 06:57:52 xs.private postfix/qmgr[247]: 48CFB8BC0CDA: removed
13 Nov 26 06:57:53 xs.private postfix/smtp[24051]: 6FCC08BC0D66: to=, relay=ccc.ddd[34.56.78.90]:25, delay=2.6, delays=2/0.01/0.28/0.32, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 281520DECC8C7371)
14 Nov 26 06:57:53 xs.private postfix/qmgr[247]: 6FCC08BC0D66: removed


In line 11, it says "status=sent", but the BOUNCE in the same line states that the mail is not sent, but bounced.




How can i find out why postfix does not want to deliver this mail?



In line 9, the sender changed from "sender@xx" to "", could this be the reason? If so, why did the sender address disappear?



Some more info: This is the mail system of a Mac server, so this is coming more or less out of the box, at least i haven't done any configuration changes..



And btw, can you recommend a good and up-to-date book about postfix and dovecot?

domain name system - Apex ANAME / ALIAS record in Windows Server 2012 R2 DNS Manager



Some DNS hosts offer a way to have an A record that serves an IP address which is determined on-the-fly (or frequently enough via scheduled job) by resolving some other hostname behind the scenes. This is used when example.com (and not a subdomain like www.example.com) MUST point to a host whose IP address changes from time to time, without requiring human intervention every time it changes. The result is that resolving example.com produces an A record, where that A record's IP address is determined by the nameserver dynamically by looking up the IP address of another.example.com which itself could be a CNAME.



DNS Made Easy and easyDNS call it an "ANAME record", Route 53 calls it an "alias resource record", CloudFlare calls it "CNAME Flattening", DNSimple calls it an "ALIAS record". Regardless of what they call it, a standard A record is returned when resolving the hostname.



I haven't come across a publication on how one might implement this, although it's a fairly obvious concept. I intend to replicate this behavior in my nameserver, which is the DNS Manager in Windows Server 2012 R2. Does a plugin for DNS Manager exist for doing this?




EDIT: To avoid the XY problem I'm going to provide full background, starting with The Problem in terms of symptoms, and traversing back through the dependencies since they are an indication of what solutions have and haven't been tried.



Symptoms



SSL/TLS connections to the apex domain (example.com) generate a certificate mismatch. Such connections are not attempted very often, but increasingly so, due to things such as automatic host detection by email clients. For example, we just put in Exchange as our client-facing mail server, and when adding user@example.com as an Exchange account in Android or Mac Mail, the auto host discovery apparently derives "typical" hostnames such as example.com, mail.example.com, exchange.example.com, etc., and gives the user a Big Scary Warning that the CN on the certificate at example.com is not example.com. We actually use exchange.example.com which has a matching cert, but the auto detection must be trying example.com first.



The mismatch warning also occurs when a web browser is pointed to https://example.com, but this is mitigated by the fact that most people type example.com into their address bar, not prefixed with https://, so they end up being upgraded to https://www.example.com with a redirect when necessary. Since www.example.com has a CNAME, so it is able to point to a host where there is no CN mismatch.



Why is there only a matching cert at www.example.com and not example.com?




The server with our matching cert (which, by the way, can easily have SAN entries to match both example.com and *.example.com, no trouble there) is located on an AWS ELB (elastic load balancer) for which Amazon warns that the IP address may change at any time. Due to the dynamic IP address, the ELB is only to be referred to via its hostname, which means a CNAME/ANAME/Flattening/etc. That's why we are able to point www.example.com to the ELB, but not example.com. Amazon suggests using Route 53 to overcome any limitations. When that is not possible, the only solution is to have example.com's A record point not to the ELB, but instead to the upstream server to which normally the ELB reverse proxies.



Why not put the matching cert on that upstream server?



Only the ELB itself is dedicated to me, so only the ELB can have my wildcard cert installed. The upstream server is shared among the hosting provider's clientele. I could have the hosting company add example.com to their laundry list of SANs on their certificate and there wouldn't be a mismatch, but instead I am interested in making full use of the ELB for various reasons.





We are fixed on running DNS in-house on Win2012R2, while all WWW hosts must be on AWS for resiliency.


Answer




Given the exact circumstances of the problem, I would say that the ideal solution would be to point the apex at a webserver that redirects HTTP requests for example.com to www.example.com. www.example.com can in turn be a CNAME to the DNS record managed by AWS.




  • While it would be possible to set up a solution on your servers that automatically updates the apex A record to "chase" AWS, this introduces a great deal of unnecessary complexity and creates additional dependencies on your internal infrastructure for things to work as expected. I would try my hardest to avoid this.

  • Running this webserver yourself would obviously introduce its own set of challenges and dependencies, so it would be natural to turn your attention outward. An example of a commercial service that solves your problem (https inclusive) would be wwwizer.com. Note that I am not linking to their free, non-SSL product.

  • A compromise between simplicity and availability would be to set up a simple webserver in the cloud that you yourself run which performs this redirection. You're still stuck with running the webserver, but at least there are no dependencies on your company's local infrastructure and you have a SLA for its availability.



At the end of the day, you have to ask yourself how important it is that your apex record is always functioning properly. In your situation, it should only be a safeguard for users who key in that record by hand. Make sure your servers and applications are configured with this in mind and the risk should be greatly mitigated. It should also be noted in your design docs (if applicable) to ensure that things remain that way.


Friday, April 22, 2016

zfs - Solaris: detect hotswap SATA disk insert



What's the method used on Solaris to get the system to rescan for new disks that have been hot-plugged on a SATA controller?



I've got an HP X1600 NAS which had 9 drives configred in a ZFS pool. I've added 3 disks, but the format command still only shows the original 9.




When I plugged them in, I saw this:



cpqary3: [ID 823470 kern.notice] NOTICE:  Smart Array P212 Controller
cpqary3: [ID 823470 kern.notice] Hot-plug drive inserted, Port=1I Box=1 Bay=12
cpqary3: [ID 479030 kern.notice] Configured Drive ? ....... NO
cpqary3: [ID 100000 kern.notice]
cpqary3: [ID 823470 kern.notice] NOTICE: Smart Array P212 Controller
cpqary3: [ID 823470 kern.notice] Hot-plug drive inserted, Port=1I Box=1 Bay=11
cpqary3: [ID 479030 kern.notice] Configured Drive ? ....... NO
cpqary3: [ID 100000 kern.notice]

cpqary3: [ID 823470 kern.notice] NOTICE: Smart Array P212 Controller
cpqary3: [ID 823470 kern.notice] Hot-plug drive inserted, Port=1I Box=1 Bay=10
cpqary3: [ID 479030 kern.notice] Configured Drive ? ....... NO


But can't figure out how to get the format command to see them so I know they've been detected by the system.


Answer



Try the devfsadm command



devfsadm -c disk




 The default operation is to attempt to load every driver  in
the system and attach to all possible device instances.
Next, devfsadm creates logical links to device nodes in /dev
and /devices and loads the device policy.

virtualization - Can a Windows 7 Ultimate product key be used for virtual machines as well?










I have Windows 7 Ultimate running on my computer, and I thought I would set up a few virtual machines to help me when I develop so I don't mess up my main system with various installations of SQL Server, Visual Studio versions, etc.



Is it allowed (or even possible) to use the same product key for the virtual machines? Or would I need to get a new product key for each virtual machine?




Is Windows 7 Enterprise different when it comes to this matter?



(Maybe this belongs on stack overflow or super user, but felt virtualization and licensing issues like that belonged more. Please move if not =)


Answer



No, only one XP instance for the XP Mode feature is normally allowed on Ultimate. But if you have Software Assurance, it comes with virtual OS rights for Enterprise and Ultimate which allow you to run four virtual instances of the operating system on the same hardware.



For reference see this post.



Also check out Windows 7 modifies license rights. And Enterprise is a benefit of Software Assurance, so you can't get Enterprise without Software Assurance - hence Enterprise is by default covered by Virtual OS rights.




***Even windows 7 ultimate can be used. The only difference is you can install it on only one virtual platform and cant setup 4 machines like software Assurance


Nginx proxy pass works for https but not http



I want to redirect HTTP traffic and HTTPS traffic to a backend Flask application and I have the snippet below in my nginx.conf which works for https but not for http





server {
listen 80;
listen 443 ssl;
ssl_certificate /usr/local/nginx/server.crt;
ssl_certificate_key /usr/local/nginx/server.key;

location / {
proxy_redirect off;
proxy_cache off;
proxy_pass http://127.0.0.1:5000;

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}


Does anyone have any pointers? Is there something obvious in the config file snippet or did I install Nginx wrong?



Thanks!



Answer



I installed nginx on my Redhat16 machine from yum. After I removed the contents of the etc/nginx/conf.d directory, everything worked as expected. It seems something in that directory was overruling the http proxy_pass.


Thursday, April 21, 2016

chmod - CentOS 5.4 NFS v4 client file permissions differ from original files & NFS Share file contents

Having a strange problem with NFS share and file permissions on the 1 out of the 2 NFS clients, web1 has file permissions issues but web2 is fine. web1 and web2 are load balanced web servers.



So questions are:




  1. how do I ensure NFS share file contents retain the same permissions
    for user/group as the original files on web1 server like they do on web2 server ?

  2. how do I reverse what I did on web1, i tried unmount command and said command not found ?




Information:
I'm using 3 dedicated server setup. All 3 servers CentOS 5.4 64bit based.



servers are as follows:




  • web1 - nfs client with file permissions issues

  • web2 - nfs client file permissions are OKAY

  • db1 - nfs share at /nfsroot




web2 nfs client was setup by my web host, while web1 was setup by me.



I did the following commands on web1 and it worked with updating db1 nfsroot share at /nfsroot/site_css with latest files on web1 but the file permissions don't stick even if i use tar with -p command to perserve file permissions ?



cd /home/username/public_html/forums/script/
tar -zcp site_css/ > site_css.tar.gz
mount -t nfs4 nfsshareipaddress:/site_css /home/username/public_html/forums/scripts/site_css/ -o rw,soft
cd /home/username/public_html/forums/script/
tar -zxf site_css.tar.gz



But checking on web1 file permissions no longer username user/group but owned by nobody ? but web2 file permissions correct ? This is only a problem for web1 while web2 is correct ? Looks like numeric ids aren't the same ? Not sure how to correct this ?



web1 with incorrect user/group of nobody



ls -alh /home/username/public_html/forums/scripts/site_css
total 48K
drwxrwxrwx 2 nobody nobody 4.0K Feb 22 02:37 ./
drwxr-xr-x 3 username username 4.0K Feb 22 02:43 ../
-rw-r--r-- 1 nobody nobody 1 Nov 30 2006 index.html

-rw-r--r-- 1 nobody nobody 5.8K Feb 22 02:37 style-057c3df0-00011.css
-rw-r--r-- 1 nobody nobody 5.8K Feb 22 02:37 style-95001864-00002.css
-rw-r--r-- 1 nobody nobody 5.8K Feb 18 05:37 style-b1879ba7-00002.css
-rw-r--r-- 1 nobody nobody 5.8K Feb 18 05:37 style-cc2f96c9-00011.css


web1 numeric ids



ls -n /home/username/public_html/forums/scripts/site_css
total 48

drwxrwxrwx 2 99 99 4096 Feb 22 02:37 ./
drwxr-xr-x 3 503 500 4096 Feb 22 02:43 ../
-rw-r--r-- 1 99 99 1 Nov 30 2006 index.html
-rw-r--r-- 1 99 99 5876 Feb 22 02:37 style-057c3df0-00011.css
-rw-r--r-- 1 99 99 5877 Feb 22 02:37 style-95001864-00002.css
-rw-r--r-- 1 99 99 5877 Feb 18 05:37 style-b1879ba7-00002.css
-rw-r--r-- 1 99 99 5876 Feb 18 05:37 style-cc2f96c9-00011.css


web2 correct username user/group permissions




ls -alh /home/username/public_html/forums/scripts/site_css
total 48K
drwxrwxrwx 2 root root 4.0K Feb 22 02:37 ./
drwxr-xr-x 3 username username 4.0K Dec 2 14:51 ../
-rw-r--r-- 1 username username 1 Nov 30 2006 index.html
-rw-r--r-- 1 username username 5.8K Feb 22 02:37 style-057c3df0-00011.css
-rw-r--r-- 1 username username 5.8K Feb 22 02:37 style-95001864-00002.css
-rw-r--r-- 1 username username 5.8K Feb 18 05:37 style-b1879ba7-00002.css
-rw-r--r-- 1 username username 5.8K Feb 18 05:37 style-cc2f96c9-00011.css



web2 numeric ids



ls -n /home/username/public_html/forums/scripts/site_css
total 48
drwxrwxrwx 2 503 500 4096 Feb 22 02:37 ./
drwxr-xr-x 3 503 500 4096 Dec 2 14:51 ../
-rw-r--r-- 1 503 500 1 Nov 30 2006 index.html
-rw-r--r-- 1 503 500 5876 Feb 22 02:37 style-057c3df0-00011.css

-rw-r--r-- 1 503 500 5877 Feb 22 02:37 style-95001864-00002.css
-rw-r--r-- 1 503 500 5877 Feb 18 05:37 style-b1879ba7-00002.css
-rw-r--r-- 1 503 500 5876 Feb 18 05:37 style-cc2f96c9-00011.css


I checked db1 /nfsroot/site_css and user/group ownership was incorrect for newer files dated feb22 owned by root and not username ?



on db1 originally incorrect root assigned user/group for new feb22 dated files



ls -alh /nfsroot/site_css

total 44K
drwxrwxrwx 2 root root 4.0K Feb 22 02:37 .
drwxr-xr-x 17 root root 4.0K Feb 17 12:06 ..
-rw-r--r-- 1 root root 1 Nov 30 2006 index.html
-rw-r--r-- 1 root root 5.8K Feb 22 02:37 style-057c3df0-00011.css
-rw-r--r-- 1 root root 5.8K Feb 22 02:37 style-95001864-00002.css
-rw------- 1 username nfs 5.8K Feb 18 05:37 style-b1879ba7-00002.css
-rw------- 1 username nfs 5.8K Feb 18 05:37 style-cc2f96c9-00011.css



Then I chmod them all on db1 and chown to set to right ownership on db1 so it looks like below



on db1 once corrected the newer feb22 dated files



ls -alh /nfsroot/site_css
total 44K
drwxrwxrwx 2 root root 4.0K Feb 22 02:37 .
drwxr-xr-x 17 root root 4.0K Feb 17 12:06 ..
-rw-r--r-- 1 username username 1 Nov 30 2006 index.html
-rw-r--r-- 1 username username 5.8K Feb 22 02:37 style-057c3df0-00011.css

-rw-r--r-- 1 username username 5.8K Feb 22 02:37 style-95001864-00002.css
-rw-r--r-- 1 username username 5.8K Feb 18 05:37 style-b1879ba7-00002.css
-rw-r--r-- 1 username username 5.8K Feb 18 05:37 style-cc2f96c9-00011.css


but still web1 shows owned by nobody ? while web2 shows correct permissions ?



web1 still with incorrect user/group of nobody not matching what web2 and db1 are set to ?



ls -alh /home/username/public_html/forums/scripts/site_css

total 48K
drwxrwxrwx 2 nobody nobody 4.0K Feb 22 02:37 ./
drwxr-xr-x 3 username username 4.0K Feb 22 02:43 ../
-rw-r--r-- 1 nobody nobody 1 Nov 30 2006 index.html
-rw-r--r-- 1 nobody nobody 5.8K Feb 22 02:37 style-057c3df0-00011.css
-rw-r--r-- 1 nobody nobody 5.8K Feb 22 02:37 style-95001864-00002.css
-rw-r--r-- 1 nobody nobody 5.8K Feb 18 05:37 style-b1879ba7-00002.css
-rw-r--r-- 1 nobody nobody 5.8K Feb 18 05:37 style-cc2f96c9-00011.css



Just so confusing so any help is very very much appreciated!



thanks

active directory - How can I figure out my LDAP connection string?



We're on a corporate network thats running active directory and we'd like to test out some LDAP stuff (active directory membership provider, actually) and so far, none of us can figure out what our LDAP connection string is. Does anyone know how we can go about finding it? The only thing we know is the domain that we're on.



Answer



The ASP.NET Active Directory Membership Provider does an authenticated bind to the Active Directory using a specified username, password, and "connection string". The connection string is made up of the LDAP server's name, and the fully-qualified path of the container object where the user specified is located.



The connection string begins with the URI LDAP://.



For the server name, you can use the name of a domain controller in that domain-- let's say "dc1.corp.domain.com". That gives us LDAP://dc1.corp.domain.com/ thusfar.



The next bit is the fully qualified path of the container object where the binding user is located. Let's say you're using the "Administrator" account and your domain's name is "corp.domain.com". The "Administrator" account is in a container named "Users" located one level below the root of the domain. Thus, the fully qualified DN of the "Users" container would be: CN=Users,DC=corp,DC=domain,DC=com. If the user you're binding with is in an OU, instead of a container, the path would include "OU=ou-name".



So, using an account in an OU named Service Accounts that's a sub-OU of an OU named Corp Objects that's a sub-OU of a domain named corp.domain.com would have a fully-qualified path of OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com.




Combine the LDAP://dc1.corp.domain.com/ with the fully qualified path to the container where the binding user is located (like, say, LDAP://dc1.corp.domain.com/OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com) and you've got your "connection string".



(You can use the domain's name in the connection string as opposed to the name of a domain controller. The difference is that the domain's name will resolve to the IP address of any domain controller in the domain. That can be both good and bad. You're not reliant on any single domain controller to be up and running for the membership provider to work, but the name happens to resolve to, say, a DC in a remote location with spotty network connectivity then you may have problems with the membership provider working.)


Wednesday, April 20, 2016

mongodb - mongod non-mapped virtual memory doubled suddenly, has not changed since



The non-mapped virtual memory stat for our mongo primary has always been constant, and we never gave it much thought before yesterday. Yesterday, a series of accidental full-collection scans from a poorly designed query resulted in a big slowdown, where the mongod process was using 100% CPU, and every query was taking tens of seconds.



After offloading the offending query to our secondaries, the performance problems disappeared, but the non-mapped virtual memory more than doubled, and hasn't gone down since. It used to hold at about 600MB; now it's at about 1.4GB. The increase was immediate, and exactly correlates to the slowdown, and it hasn't changed at all since.




The number of connections has been completely constant throughout, so we can be sure it isn't that.



What might cause this? Is it a problem? Should we be concerned?



Running on Ubuntu 12.04 64-bit on an EC2 instance.


Answer



Because virtual memory is effectively free, nobody bothers to clean it up or minimize its usage. So long as the resident set size is reasonable, I wouldn't worry about it.


migration - Inplace migrating ZFS RAIDZ with 3 drives to 4 disks, when pool has more than 1/3 of free space



On creating my RAID-Z pool on ZoL I assumed, I could easily just drop-in additional disks later on. Meanwhile I learned that this is yet not possible.




But... I had a similar problem on creating my initial pool. Only 4 free SATA ports, but an old RAID5 with three 2TB disks and a new RAIDZ1 with three 4TB disk. The solution was to a) degrade the RAID5 and b) build the initial RAIDZ with a sparse file as "virtual third drive", which was taken immediately taken offline after pool creation:




  1. Create sparse file: dd if=/dev/zero of=/zfs1 bs=1 count=1 seek=4100G

  2. Create the raidz pool: zpool create zfspool raidz /dev/disk1 /dev/disk2 /zfs1

  3. Immediately take off the sparse file: zpool offline zfspool /zfs1

  4. Migrate data to zfspool. Uninstall old RAID5 disks, add third, new 4TB disk

  5. Replace & resilver the sparse file in the pool with the actual, third drive:
    zpool replace zfspool /zfs1 /dev/disk3




This worked out really great! Now I learned that though ZFS does not directly support adding a single disk to RAIDz, but that it supports one-by-one replacing disks with larger ones.



So here is my plan. Does anybody see a flaw in it?




  • Buy a fourth 4TB disk and take one disk offline from the existing pool

  • Create 2x2TB paritions on these two, free disks.

  • Build a RAIDz out of these four "disks": 3x2TB = 6TB net storage.

  • For performance reason: Take one of the 2nd partition immediately offline


  • Migrate max. 6TB data to the new pool & destroy the old pool

  • Replace offline "2TB disk" with a real 4TB one of the old pool. Wait to resilver.

  • On the drive with 2 active partitions: Take the 2nd 2TB partitions offline and replace it with the second 4TB disk from the old pool. Wait for resilvering.

  • One-by-one: Take a remaining 2TB partitions offline, grow the partition with 4TB and re-add the disk the pool. Wait for resilvering.

  • Rinse & repeat for the very last 2TB disk/partition



Will this work? I know that I'm higher vulnerable to data loss due to the missing redundancy during the process, but I will have backup of the most important data. Just not enough for the whole 6TB payload.



And will ZFS automatically grow the pool to (3+1)x4TB = 12TB after the last step?



Answer



Ugly, but this would work.



Except when it doesen't;).




  • Be very careful when specifying the partitions and when replacing the disks

  • try it in am VM beforehand, setup the virtual disks like your hardware an dry run it 1 or 2 times.

  • make a scrub before you start and take a look at the S.M.A.R.T info from the disks. You would not try this with an already flakey disk.




Important: You better have a tested backup on another medium or machine before trying it!



Yes, ZFS will grow the pool if the last 2TB disk or partition is replaced with a 4TB one ( if you have autoexpand=on for the pool )



zpool get autoexpand $pool

zpool set autoexpand=on $pool



On a sidenote: you should not use RAID-Z on disks bigger than 2TB. Your chance of getting an error on resilvering when replacing a faulted disk is very high. Please consider RAID-Z2.


linux - Cron Permission Denied

good day,
I have a bash script in my home directory that works properly from the command line (file structure is default media temple DV. < noted for certain permission issues) but receive this error from cron: "/home/myFile.sh: line 2: /var/www/vhosts/domain.com/subdomains/techspatch/installation.sql: Permission denied" NOTICE: it's just line 2... it writes to the local server just fine.



Below is the Bash File:




    #!/bin/bash
mysqldump -uUSER -pPASSWORD -hHOST dbName> /var/www/vhosts/domain.com/subdomains/techspatch/installation.sql

mysql -uadmin -pPASSWORD -hlocalhost dbName< /var/www/vhosts/domain.com/subdomains/techspatch/installation.sql


can't chmod from bash (lol, yeah i tried). writing the file there and setting the permissions before the transfer is useless...



i have googled the heck out of this situation and this one still seems unique.... any insight is appreciated

Tuesday, April 19, 2016

g suite - Mail bouncing when using a CNAME for domain root and load balancing



We recently moved to EC2 and started using amazon's elb for load balancing. We're using CloudFlare for DNS which allows us to use a cname the domain root. However, we occasionally have people tell us that our emails are bouncing with some variation of the following error:




first.last@ourdomain.com... Deferred: Connection refused by our-production-loadbalancer.elb.amazonaws.com.



We are using google apps for mail and our MX records are configured properly, so I'm not sure at what point the mail clients or servers are attempting to resolve our domain and receiving the cname record instead.



Does anyone understand why the MX records would be ignored? Is this a result of using a CNAME? I would imagine that the same thing could/would happen if we pointed an A record at an IP address that was also not accepting mail.


Answer



If you have a domain example.invalid:



; example.invalid
$TTL 604800

@ IN SOA ns1.example.invalid. root.example.invalid. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
IN CNAME anotherdomain.invalid



You are saying:




Hey, you can find example.invalid under whatever address anotherdomain.invalid can be found. And btw, any MX records SRV records or other stuff for example.invalid is also whatever anotherdomain.invalid tells you. That means Mail sent to example.invalid will use the MX record of anotherdomain.invalid




References:





Monday, April 18, 2016

linux - Can I make an ext3 filesystem recognize (and use) the entire partition?



Using gparted and partimage from SysRescCD I recently




  1. made a backup image of the partition containing my Ubuntu installation,

  2. deleted all partitions except for the original Windows partitions

  3. reduced the size of the Win7 partition


  4. created an extended partition using all unallocated space

  5. within the extended partition, created an ext3 partition and a swap partition

  6. restored the backup image to the ext3 partition



After these operations the ext3 partition is larger than when I started, but the filesystem is still reporting the old size:



$ fdisk -l 
Disk /dev/sda: 640.1 GB, 640135028736 bytes
255 heads, 63 sectors/track, 77825 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x1549f232

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 102400 7 HPFS/NTFS
Partition 1 does not end on cylinder boundary.
/dev/sda2 13 12772 102487666 7 HPFS/NTFS
/dev/sda3 12773 76258 509947904 5 Extended

/dev/sda4 76258 77826 12591104 7 HPFS/NTFS
/dev/sda5 12773 25597 103010304 83 Linux
/dev/sda6 25597 27016 11395072 82 Linux swap / Solaris
/dev/sda7 27016 59024 257102848 83 Linux


The extended partition /dev/sda3 contains /dev/sda5, /dev/sda6/, and /dev/sda7. The Ubuntu image is on /dev/sda5 - which is the same partition it was originally on. Before the operations /dev/sda5 was 50GB, now it is 98GB.



$ sudo df -h
Filesystem Size Used Avail Use% Mounted on

/dev/sda5 50G 46G 2.3G 96% /
none 2.9G 276K 2.9G 1% /dev
none 3.0G 2.1M 3.0G 1% /dev/shm
none 3.0G 372K 3.0G 1% /var/run
none 3.0G 0 3.0G 0% /var/lock
none 50G 46G 2.3G 96% /var/lib/ureadahead/debugfs
/dev/sdb1 597G 170G 427G 29% /media/My Book__
/dev/sda7 242G 8.2G 221G 4% /media/012583af-4e10-4bec-84b2-d691c3fd5f96



I'm looking for advice on what I can do to have ext3 on /dev/sda5 utilize the full 98G.


Answer



What you're attempting to do is resize the filesystem. Your image based backup kept all of the metadata that was on the original partition, which as you noticed also included the size. The program for this is resize2fs. You've already done the heavy lifting of getting the partition enlarged, so it should go pretty fast. Since it is your root partition, this will have to be done from single-user mode (or possibly booted from an ISO-Linux of some kind, I'm not certain).



resize2fs /dev/sda5



That should be all you need to do.


raid - ProLiant DL180 G6 with Smart Array P410 failed logical drive (keeps failing and needing rebuild)

I have an issue with a bunch of DL180 each with P410 smart arrays with 2 logical drives, one is for the root filesystem, and the other is a large-ish 10TB filesystem that is exported by nfs.



The boxes are primarily nfs servers, and are frequently maxed out and are the bottleneck in the processing chain.



Every so often one of these 10TB logical drives fails and needs to be rebuilt. this happens about once a month, and it a pain.



The message is " Message: This logical drive has failed and cannot be used. All data on this logical drive has been lost."



We have tried updating the firmware on the disk array, and the kernel module, and various flavours of linux have been used for the host OS, debian, CentOS, and xfs and ext3 have been tried as filesystem types. However the logical drives still regularly need rebuilding from backups.




I have attached a hpacucli diagnostic output for one of the failed drives. http://pastebin.com/9zTiuSAN



some interesting output items;



Smart Array P410 in slot 1 : Identify Controller
RAM Firmware Revision 2.00
ROM Firmware Revision 2.00



Any suggestions on what might be the problem, or how I might go about instrumenting these arrays/disks to get an idea of what is causing the drive to fail?




# cat output.txt  | grep -B 2 'Drive Firmware Rev'
Drive Model ATA GB1000EAMYC
Drive Serial Number WMATV2509266
Drive Firmware Revision HPG2
--
Drive Model ATA GB1000EAMYC
Drive Serial Number WMATV1739564
Drive Firmware Revision HPG2
--

Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ456MN
Drive Firmware Revision HPG8
--
Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ45RS3
Drive Firmware Revision HPG8
--
Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ460P0

Drive Firmware Revision HPG8
--
Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ454YN
Drive Firmware Revision HPG8
--
Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ4664M
Drive Firmware Revision HPG8
--

Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ457M9
Drive Firmware Revision HPG8
--
Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ46Q9E
Drive Firmware Revision HPG8
--
Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ4630X

Drive Firmware Revision HPG8
--
Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ454PD
Drive Firmware Revision HPG8
--
Drive Model ATA GB1000EAFJL
Drive Serial Number 9QJ45Z0Y
Drive Firmware Revision HPG8
--

Drive Model HP DF0146B8052
Drive Serial Number 3QN1KS7H00009949SQ4M
Drive Firmware Revision HPD5
--
Drive Model HP DF0146B8052
Drive Serial Number 3QN1KNFS00009949UX4F
Drive Firmware Revision HPD5

Partition alignment on MegaRAID RAID 1 with 4k sector (advanced format) drives

I want to setup RAID 1 (mirroring) on a LSI MegaRAID SAS 8708EM2 (1078 chipset) with 4k sector (advanced format) drives. To the best of my knowlegde the controller does not officially support 4k sector drives whereas the newer 9xxxx series controllers (2108 chipset) do. However, I can trick the OS into treating the RAID device as 4k sector drives (FreeBSD geom gnop).



The question is, will 4k sectors on the hardware RAID device (the device presented by the controller to the OS) be mapped one-to-one to 4k sectors on the physical disk?




According to the LSI manual
MegaRAID® SAS Software User Guide
sec. 4.15.3.3, MegaRAID stores RAID metadata at the end of each physical disk. So the first sector of the RAID device should indeed map to the first sector of the physical drives.



Are there any other factors that affect sector mapping to the disk?

Sunday, April 17, 2016

switch - Power loss at company



Property management at my organization has informed me that our building will be losing power for 4 hours tomorrow. I need to be prepared for this event (we're a small organization, i'm young, therefore I am I.T). What sorts of things do I need to be aware of.



I am planning on going in and shutting down all machines and printers. Will this cover me? We have a managed switch. Does it need to be shut down? Do I need to disconnect plugs in case of a surge?



Seems like I'll be covered all around if I just unplug everything. Thanks for any insight though.


Answer



Before the outage:





  • Power everything off - workstations, servers, printers, switches, the works.

  • Turn off your UPS' so they don't panic when power is lost.



After outage in this order:




  • Turn on UPS


  • Turn on networking (router, switches etc)

  • Turn on servers

  • Turn on workstations

  • Turn on everything else



Have a test plan ready so you can test important functionality is working




  • Internet connectivity


  • Email, printing etc



If possible, have a laptop with a separate network connection handy (ie: you can get to the internet without your work router working). That way you have a way to ask for help here if something goes wrong with the networking when it comes back up. :)



You should be fine though - the fact that you took the time to ask here shows you already have the requisite "clue" required for IT support!


Thursday, April 14, 2016

What is Best storage servers infrastructure ? DAS/NAS/SAN or installing GlusterFS/LUSTER/HDFS/RBDB

I am trying to design an infrastucture for the project I am working on. It would be somehow a file-sharing/downloading project (like rapidshare) and I would need high storage sizes and good scability, and I would add new storage nodes after my project grows up.



I have come up with 3 solutions for my project which are using Luster, GlusterFS, HDFS, RDBD.




For start, i would have 2 servers, one server is for glusterfs client + webserver + db server+ a streaming server, and the other server is gluster storage node. (After sometime, i would be adding more node servers, and client servers (dont know how many new client new servers to add, will see later)



So, i am thinking to work with glusterfs. But i really wonder that if i have to use high performance servers with high sotrage sizes or avarage/slow servers with high storage sizes? Or nas/das/san solutions are better for glusterfs storage nodes? I might buy a nas and install glusterfs onto it. I would be happy to listen to your recommendations for the server properties (for each clients and nodes) . I really dont know if I really need high amount of ram and good cpus to for the nodes. I am sure i need it for client servers.



The files would be streamed as well, so the Automatic file replication is important, thus, my system should work like a cloud, when needed, according to high traffic, the storage nodes should copy the most demanded file to be streamed and would help me to get rid of scability problems and my visitors would able to stream/download those files.



Also, i am open to your experiences/thoughts about any good solution. Luster, hdfs, rbdb are the other options and i would be happy to listen to your thoughts here. I would be very very happy to hear back from anyone commented of any words I have used here.



Thanks







Edit:



I know the IOPS is the critical variable that i have to count on in every calculation if my network design, thats why i say random requests. But unfortunately, i dont have any statistics at all. Thats why i am here :)



My project is like that, you enter a download url to my website, my url downloads it, and you start download it from my own server, like a proxy downloader.



So i have a server 100mbit connection and 2TB hdd for now. I am thinking add nas servers. Really dont know if i have to add duplicated storage nodes in nas. And is there a limit that i can connect nas devices ? i mean i can connect max 2 nas servers to my main server?

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...